py-snowballstemmer: updated to 3.1.1
3.1.1
+ Skip classifier for Sesotho which isn't yet in the official list of
trove classifiers.
+ Add classifier to indicate support for Python 3.14.
py-distlib: updated to 0.4.1
0.4.1
- scripts
- Fix path traversal bug in handling entry points which allowed escaping the scripts directory.
Thanks to tonghuaroot for the comprehensive report.
- tests
- Fix: Change test function following a reorganization which happened in the Python stdlib.
harfbuzz: updated to 14.2.1
14.2.1
Various AAT shaping fixes: legacy mort contextual offsets (which could produce out-of-font glyph IDs), in-place deleted-glyph replacements, and overflow in obsolete offset math.
Fix Arabic PUA fallback shaping for the isolated lam-alef-maksura ligature.
Fix float-to-int overflow in avar2 mapping with malformed fonts.
Harden buffer verification after detecting non-monotone clusters.
Various COLR v1 fixes: fix handling of .notdef without paint, round alpha consistently, and report the root clip under the font transform.
Various Glyph-extents fixes: inclusive rounding, and floating-point scaling before rounding so the reported box always covers the glyph.
Various Subsetting fixes: keep the palt spacing feature by default, raise the repacker MAX_SPACES limit, fix a repacker crash on shared LigatureSet nodes, guard gvar size overflow on 32-bit, and fix the post glyph-name sort comparator on macOS.
Replace std::sort with an internal quicksort, removing leaked std:: symbols from the libharfbuzz ABI.
Harden size computations with saturating arithmetic against 32-bit overflow.
Various improvements to the experimental Rust shaper (HarfRust) and font functions (fontations): honor custom font funcs, key shape plans on features, faster buffer handling, and update to HarfRust 0.8.
Various fixes to the experimental harfbuzz-gpu and harfbuzz-vector libraries, including a harfbuzz-vector heap buffer overflow and Windows build fixes.
Map the Hrkt (Katakana or Hiragana) script tag to the kana OpenType tag.
Build configuration: new HB_CONFIG_OVERRIDE_LAST_H override header, decouple HB_NO_DRAW from HB_NO_CFF, and an optional hb-allocator Cargo feature.
Various build, CI, and fuzzing fixes.
adguardhome: updated to 0.107.77
0.107.77
Security
Authorization in GLiNET mode is no longer vulnerable to path traversal attacks.
NOTE: This is CVE-2026-41448. We thank @djnnvx for reporting this security issue.
Added
New reason query parameter in GET /control/querylog. See openapi/openapi.yaml for the full description.
Deprecated
Query parameter response_status in GET /control/querylog is now deprecated. Use new reason query parameter instead.
filesystems/py-fuse-bindings: Clean up fuse bl3
There was longstanding commented-out confusion about whether this
depended on some fuse implementation or the specific standard but
non-portable approach. Decide that mk/fuse.buildlink3.mk is the right
answer and just do that, without any commented-out alternatives.
filesystems/py-fuse-bindings: Update to 1.0.9
Upstream's new tests fail, and I don't think that's a pkgsrc bug, but
a test bug.
Works with bup!
Upstream NEWS:
bug fixes and minor improvements
filesystems/py-fuse-bindings: Adapt to python function deprecations
convert to wheel.mk
Now, importing fuse in python 3.13 succeeds, instead of failing with a
missing symbol, as one would expect from the undefined name warning
during the build.
